Notice From Mercumaya – Gumblar Attacks

Safeguarding your website from Gumblar Attacks

Over the past few weeks, several websites hosted on our Linux Servers threw up virus alerts. Further investigation revealed that these alerts were triggered by an injection attack on packages hosted on our servers, commonly known as Gumblar Attacks. FTP logs of these infected packages indicated that machines of the customers who own those domains were compromised and had been used to upload malicious content to their respective Hosting Packages. A few pointers for your benefit:

What is a Gumblar Attack?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from Third Party sites without the user’s knowledge, while also stealing FTP credentials from the victim’s computer, which then allows it to spread and infect additional sites. Therefore, when someone visits such an infected site they get infected; if they have FTP credentials for a website on their machine then those sites get infected too. This explains the exponential growth of the exploit in such a short space of time.

Gumblar is a computer virus that first appeared in 2009. It has been identified as one of the most malicious viruses in existence.[citation needed] It is characterized by re-directing user’s Google searches and is suspecting to come from Adobe Flash and PDF files. (Wikipedia)

What makes it different from other Malware exploits?
There are a number of aspects to this exploit that not just help it spread, but also make it difficult to remove. Firstly, it infects users browsing legitimate websites; if these users are webmasters then it infects their websites by using their FTP credentials to inject the script into their site. The obfuscated malicious code being dynamically generated, makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site, it can also vary from page to page on that the one site.

CNET published an article for more detailed, check out the following news article.

What steps you should be taken?

  • It is a good practise to reset ypur FTP password change them often.

  • Regards,

    MERCUMAYA.NET A Division Of NETLYNX Solutions.

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.